The Panama Papers: A security warning to the industry

The data breach at Panamanian law firm Mossack Fonseca, known as the Panama Papers, has officially been recognised as the largest of its kind, with 11.5 million files being leaked exposing the ways hundreds of rich and powerful people have exploited offshore tax regimes. The opinion of most onlookers has depended largely on their view of the offshore practices the firm facilitated, but the fact is that any organisation that deals with sensitive data should take note.

Aside from the sheer number of leaked files, the incident is also notable for its impact. As a result of the breach, 12 national leaders and 143 politicians, their families and close associates from around the world were exposed as having off shore accounts. It even prompted the resignation of one world leader, with Iceland’s Prime Minister Sigmundur Davíð Gunnlaugsson stepping down after revelations sparked widespread protest in the country.

Unusually for a data breach, it seems that the organisation was targeted primarily to make the practices of the offshore trading world public knowledge, and not for any financial gain. Although having money in offshore accounts is not illegal in itself, it is widely considered dubious practice and some were found to be involved with illegal practices including fraud and tax evasion.

All sensitive data is under threat

For the tens of thousands of businesses in the UK and beyond that routinely deal with sensitive information for their clients, the Panama Papers may seem like someone else’s problem. After all, if the firm was targeted on moral grounds, legal and financial firms which don’t offer those kinds of services are not under threat.

However, any firm that is involved in holding sensitive information for their customers, regardless of the cause, should take the breach as a warning, and ensure that all of their data is well protected.

Initially it was thought that the leak may have been an inside job, however it now appears that it was an external hack. The documents were leaked to the global press by an unknown source who states income equality as his motivation. Whilst companies need to protect themselves against external hacks, it is important that they do not overlook the danger internally. The majority of data leaks still occur from inside an organisation.

The insider threat

In 2015 Watchful Software sponsored the Insider Threat Spotlight report, it was found that 62 per cent of security professionals believed insider threats had become more frequent in the last 12 months.

These insiders could be opportunists looking to make a quick fortune by selling data on the black market or to rivals, or could be planning to take it with them to a new job. They may even be intending on going it alone to form a new business, as was seen with the attempted data theft earlier this year at pharmaceutical giant GlaxoSmithKline.

In particularly extreme cases, they may even have joined the company with the sole intent of accessing data, either independently or as a plant, and we have also seen cases of employees being bribed or blackmailed by criminal gangs to provide their access or steal data directly.

Protecting against all threats

With threats to an organisation's security just as likely from inside as outside, it is essential to have a security policy which protects the data from both risks simultaneously. In the case of Mossack Fonseca for example, some data security experts have noted that the firm did not appear to be encrypting its emails – which made up around 4.8 million of the stolen files. Files like these are equally at risk from external hacking attacks and malicious insiders marauding around the network.

Organisations can drastically reduce this threat by implementing Role Based Access Controls (RBAC), where by all employees are assigned appropriate access rights, locking down sensitive files to essential personnel only.

Using this approach, all files are encrypted on creation and rendered useless to anyone who has not been assigned the access rights. Even in the case of a USB being left or dropped somewhere, or an email being accidentally sent to the wrong person, any recipient who does not have the appropriate access rights will not be able to access the file.

RBAC is at its most effective when teamed with a method of data classification. By providing key words or phrases, the software is able to identify and classify a particular file and provide it with an appropriate classification status. Businesses can set these classifications and restrictions to their own needs – for example setting certain files to 'internal use only' to prevent them from being moved, or 'classified' to restrict it to only the highest authorisation. This also ensures that all files are protected automatically as they are created, reducing the chance of a user sidestepping the system, or simply forgetting to apply best practice.

Encrypting all sensitive files in this way can also help to prevent an external attack, as even if a hacker gains access to the network, in most cases important files will still be safe. The only way for an attacker to easily get around these controls is to gain access through an authorised user, drastically reducing the window for a successful attack.

In the Mossack Fonseca case, having this type of security in place would have made it significantly more difficult for many key files to be accessed and removed from the system. All organisations who hold sensitive information for their clients, regardless of their practices, must ensure they have sufficient security in place to protect their data.